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BOX PCT 

IN THE UNITED STATES ELECTED/DESIGNATED OFFICE 
OF THE UNITED STATES PATENT AND TRADEMARK OFFICE 
UNDER THE PATENT COOPERATION TREATY-CHAPTER E 

PRELIMINARY AMENDMENT 

APPLICANT: Dr. Gerhard Spitz DOCKET NO: 1 12740-271 

SERIAL NO: GROUP ART UNIT: 

EXAMINER: 

INTERNATIONAL APPLICATION NO: PCT/DEOO/00077 
INTERNATIONAL FILING DATE: 1 1 January 2000 

INVENTION: A METHOD FOR SECURING ACCESS TO AT LEAST ONE 
VARIABLE IN A PREEMPTIVELY MULTITASKING- 
CONTROLLED PROCESSOR SYSTEM 

Assistant Commissioner for Patents, 
Washington, D.C. 20231 

Sir: 

Please amend the above-identified International Application before entry into 
the National stage before the U.S. Patent and Trademark Office under 35 U.S.C. §371 
as follows: 

In the Specification; 

Please replace the Specification of the present application, including the 
Abstract, with the following Substitute Specification: 

SPECIFICATION 
TITLE 

MULTITASKING-CONTROLLED PROCESSOR SYSTEM 
BACKGROUND OF THE INVENTION 
Field of the Invention 

In existing and future information processing systems, such as personal 
computers, software objects (also referred to as processes) - are and will be 
administered using the operating system in such a way that the hardware system, in 
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particular the process-processing device which is provided in the information 
processing system, such as the processor, is utilized uniformly with the aim of high 
overall efficiency. In this way, the software modules which are assigned to the 
processor by the operating system (also referred to as tasks) are processed by the 
5 processor. Here, special operating systems, for example Windows 95, are provided for 
the information processing systems which have a monoprocessor, i.e. the information 
processing system has just one processor, the operating systems also permitting multi- 
user operation or multiple-process operation on a monoprocessor ~ see in this respect 
"Architektur von Betriebssystemen" [Architecture of Operating Systems], H. 
10 Wetterstein, Hanser Studien Biicher [publishing house], 1984, pp. 54 et seq. The 

operating mode which is required for the multiple-process operation of a processor is 
known in the specialist field under the term "multiprogramming" or else 
"multitasking". In this way, during the execution of a task the information processing 
system can also carry out a further task such as the reading of data from a storage 
1 5 medium of the information processing system or, for example, the displaying of data 
on a data viewing station in a "quasiparallel" fashion. 



multitasking. In the case of "cooperative" multitasking, each individual currently 
executed task itself determines, according to requirements, the time period for which it 

20 takes up the processor; i.e., the currently running task decides on the time when the 
processor is released for the processing of further tasks. In the case of "preemptive" 
multitasking, a task of the operating system, known in the specialist field as 
"scheduler" or even "task scheduler", interrupts the currently executed task after a 
predefined or assigned time period has finished; i.e., the time when the processor is 

25 assigned and released is determined using the task scheduler. 

In order to execute a function of the operating system, for example an operating 
system task such as the task scheduler, a special operating mode of the processor for 
protecting the data of the operating system task is provided which is known as 
supervisor or kernel mode - see Andrew S. Tanenbaum, "Betriebssysteme - Entwurf 

30 und Realisierung" [Operating Systems - Design and Implementation] part 1 , Prentice- 
Hall International, 1990, pp 31/32. To do this, the processor is switched over using a 
supervisor call from a user mode into the supervisor mode and the control of the 



Furthermore, a distinction is made between "cooperative" and "preemptive' 
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processor is thus transferred to the operating system or its tasks. In contrast with the 
supervisor mode, not all instructions are acceptable in the user mode, inter alia, in the 
user mode the use of input and output instructions and of some special instructions is 
prohibited. Likewise, in the user mode the access to all the data is generally not 
5 possible, for example the data of the operating system can neither be read nor amended 
for non-operating system tasks. 

Specifically in the case of information processing systems which act according 
to the multitasking principle, variables or blocks of variables which are accessed 
during the processing of a task must be protected against competing accesses, for 

10 example by further tasks. This ensures that, for example, the errors occurring during 
dual simultaneous variable access cannot lead to any blockages of further tasks or of 
the entire information processing system. Such a protection mechanism is described 
below using the formulation "secured access" to at least one variable, and the term 
variable can refer here both to a variable of a software module which is stored in a 

15 memory unit and to a hardware-related setting information item which is stored in a 
hardware register. Such secured accesses frequently take place when specific problems 
are posed, for example in information systems which are used to control real time 
systems but must also access data which can be administrated, and are of short 
duration in comparison to the average time period between two successive task 

20 changes. Consequently, the probability of a task change during a secure access is very 
low, but cannot at all be excluded. 

The implementation of a "secure access" by a task can be carried out using 
various protection mechanisms. This includes, inter alia, the setting of a task change 
inhibit in order to avoid a competing access by a further task to the variables which are 

25 being accessed by the task currently running on the processor. To do this, before the 
variables to be read are accessed using a supervisor call, the processor is switched over 
into the supervisor mode and the setting of a task change inhibit is requested from the 
operating system in order to obtain exclusive access for the processor, and thus also for 
the desired variable, for the currently accessing task. Then, the processor is switched 

30 back into the user mode and the desired access to the variable can be secured by the 
previously interrupted task; i.e., without interruption. After termination of the secure 
access by the currently running task, it is necessary to change again into the supervisor 
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mode via a supervisor call and for the task change inhibit to be reset by the operating 
system in the supervisor mode. In order to farther process the task which is currently to 
be processed, the processor is then changed back into the user mode and the time 
monitoring activated during the setting of the task change inhibit is deactivated in 
5 order to avoid the processor being blocked for an indeterminately long time. 
A further method of implementing a secure access is used in the 
synchronization of tasks, i.e. the coordination of a number of tasks which alternately 
access the processor, in order to avoid the conflicts which occur in the multitasking 
mode. Here, the semaphore technique is frequently used for the synchronization of the 

10 individual tasks. According to its mathematical-theoretical definition, a semaphore is 
an integral, non-negative variable associated with a queue. Here, the initial value of the 
semaphore defines how many tasks can be located simultaneously in a secured section 
controlled by a semaphore. The queue contains the tasks which wait for the secured 
section to be entered. To do this, a semaphore is checked and modified by the currently 

15 running task in order to implement the secure access to a variable via an 

uninterruptible read/write cycle. If, for example, this semaphore is greater than zero, it 
is decremented and the secure access to the desired variable is subsequently carried out 
by the currently running task. If the semaphore is already equal to zero, the task which 
requests a secure access is changed into the waiting state and the semaphore variable is 

20 not changed. At the end of the secure access to the variable, it is checked whether tasks 
are waiting on this semaphore, and if appropriate, one of the tasks located in the 
waiting state is activated; i.e., the processor is assigned. If there is no task waiting on 
the semaphore, the semaphore is incremented again by an uninterruptible read/write 
cycle. These uninterruptible read/write cycles to the semaphore variable can be 

25 implemented, in a way similar to the method of the task change inhibit, by a supervisor 
call and the subsequent handling by the operating system or in the user mode with 
special support by the processor hardware and processor bus hardware. Here too, time 
monitoring, whose function consists in avoiding the processor being blocked for a 
longer than average time, is provided for the duration of the secure access. 

30 In the previously described implementations of a secure access to variables, a 

number of operating mode changes including the associated technical operating task 
processing or special support by processor hardware and processor bus hardware are 
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necessary during each access; i.e., secure accesses to variables increase the loading on 
the processor or require additional and specially supporting hardware. 

An object to which the present invention is directed lies in improving the 
implementation of a secure access to at least one variable in a preemptively 
5 multitasking-controlled processor system. 

SUMMARY OF THE INVENTION 
An aspect of the method according to the present invention is that an access 
status memory is provided in a preemptively multitasking-controlled processor system 
for secure access to at least one variable, into which access status memory a blocking 

10 information item is input by the accessing task before a current access to at least one 
variable. Furthermore, when there is a task change intended by the task scheduler 
during the current access, the task scheduler checks the access status memory for a 
blocking information item which has been input and when the blocking information 
item has been input the task scheduler delays the intended task change. Finally, the 

15 task change information item is input into the access status memory using the blocking 
information item. At the end of the current access, a release information item is input 
into the access status memory by the currently accessing task and when a task change 
information item is input the requested task change is initiated by the currently 
accessing task. The use of an additional access status memory has the advantage that 

20 the switching over of the processor into the supervisor mode which, for example, is 
necessary with the task changing inhibit method, and the subsequent execution of an 
operating system task are dispensed with, and a considerable dynamic relieving of the 
loading on the processor is thus achieved, especially since secure accesses to variables 
occur very frequently when certain problems which occur during the operation of an 

25 information processing system arise. In addition, the inputting of the blocking 

information item, the task change information item or the release information item 
requires only a few machine instructions and is thus easy to implement in terms of 
programming technology. Furthermore, in the method according to the present 
invention, in contrast to the semaphore technique, no additional hardware support in 

30 the form of processor hardware or processor bus hardware is necessary, which leads to 
a cost-effective implementation of the secure access to variables which is not tied to 
specific hardware. Furthermore, during the secure access the accessing task is 
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advantageously not interrupted by a task change which is intended by a further task, 
and in addition the intended task change is not rejected but rather delayed so that after 
the evaluation of the task change information item at the end of the secure access the 
intended task change can be directly retrieved by the task scheduler. 

A further aspect of the method according to the present invention is that, in 
addition to inputting the task change information item, a time monitoring system with 
a time period of at least the duration of the secure access is activated, and that the 
current access is terminated after the expiration of the defined time period. The time 
monitoring system in the method according to the present invention is not generally 
activated during the initialization of a secure access but rather only when there is a task 
change intended during the current access, and the dynamic loading, which is usually 
necessary during the use of the already known methods, for example semaphore 
technique or the setting of a task change inhibit, is thus dispensed with. This leads to 
an additional dynamic relieving of the load on the information processing system or the 
processor. 

According to a further embodiment of the method according to the present 
invention, the contents of the access status memory are checked at the end of the 
secure access and before the inputting of the release information item so that when a 
task change information item is present, the activated time monitoring system is 
deactivated and a technical operating information item which initiates the intended task 
change is transmitted to the task scheduler by the currently accessing task. The 
checking of the contents of the access status memory advantageously ensures that, 
directly after termination of the secure access, the task scheduler is informed about the 
intended task change which is indicated by the task change information item, because 
without the indication of the technical operating information item which indicates the 
intended task change, the task scheduler would not carry out the delayed task change. 
Instead, the intended task change would be carried out at the time at which the 
currently accessing task is interrupted by the task scheduler; i.e., the intended task 
change would be unnecessarily delayed beyond the time period of the secure access. 

Additional features and advantages of the present invention are described in, 
and will be apparent from, the following Detailed Description of the Preferred 
Embodiments and the Drawings. 
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DESCRIPTION OF THE DRAWINGS 

Figure 1 shows a schematic diagram of an information processing system to 
which the method of the present invention is directed. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

In Figure 1, a first and a second user task Tl, T2 and an operating system task 
BST are represented, by way of example, according to their processing over time by 
the processor of an information processing system which acts according to the 
preemptive multitasking method. Furthermore, a supervisor mode SM and a user 
mode UM of the processor and the associated tasks are indicated by two separate areas. 
Here, in the supervisor mode SM, the operating system task BST, later also called 
scheduler or task scheduler BST, is represented for processing by the processor, and in 
the user mode a first and a second user task Tl, T2 for the processing by the processor 
are illustrated by way of example, A task which is currently in the waiting state, for 
example the operating system task BST at the time zero in Figure 1 and the second 
user task T2, is indicated using a broken line designated by BST and T2, and a 
currently executed task, the first user task Tl at the time zero in Figure 1, is indicated 
by an unbroken line designated by Tl . 

In order to represent the timing sequence of the method according to the 
invention of a secure access gz to at least one variable, a time axis t is provided on 
which a first, second, third, fourth and fifth time tl, t2, t2\ t3, t3' are marked. 
Furthermore, a memory unit SE1 with an access status memory unit ZSE1 at the first, 
third and fourth time tl, t2', t3 is illustrated, information relating to the first, currently 
running task Tl being input in the memory unit ZSE1, and the memory can be 
implemented, for example, as part of a volatile memory. According to the method of 
the present invention, inter alia, a blocking information item SI, a task change 
information item WI and a release information item FI can be input into the access 
status memory unit ZSE1 which is assigned to the first, currently running user task Tl . 

Furthermore, the duration of a secure access gz to at least one variable by the 
first user task Tl, which extends from the first time tl to the fourth time t3, is 
illustrated. At the time zero, the first user task Tl is already currently assigned to the 
processor and the second user task T2 and the operating system task BST are in the 
waiting state. At the first time tl, the first user task Tl initializes a secure access to at 
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least one variable; i.e., the blocking information item SI is input into the access status 
memory unit ZSEl(tl) by the first user task Tl instead of the release information item 
FI which is input into it. Then, the first, currently executed user task Tl is in an 
uninterruptible execution state and can, thus, access the desired variables in a secured 
fashion. 

At a later, second time t2, a task change request TWA is indicated as a result, 
for example, of an external event EE, for example the presence of external messages or 
as a result of the time period which is assigned to the first user task Tl by the task 
scheduler BST being exceeded, and the currently executed, first user task Tl is then 
changed into a quasi-waiting state wz by the task scheduler BST. Then, before the task 
scheduler BST initiates a task change TW after the task change request TWA has been 
received, the task scheduler BST checks the contents of the access status memory unit 
ZSEl(t2'). If a blocking information item SI relating to a third time t2' is input in the 
access memory unit ZSEl(t2') for the currently executed, first user task Tl, the 
requested task change TWA is delayed by the task scheduler BST and instead of the 
blocking information SI a task change information item WI is input into the access 
status memory unit ZSEl(t2'). Then, the first, currently executed user task Tl is 
further processed and the quasi-waiting state wz is thus terminated again by the task 
scheduler BST. The first user task Tl can thus carry on the secure access (gz) for the 
desired variables without it being forced to release the processor by the task scheduler 
BST. In addition, at the third time t2\ the task scheduler BST activates a time 
monitoring system TM in order to avoid the processor being blocked by the secure 
access gz of the first user task Tl for an unacceptably long time. 

At the end of the secure access gz, indicated by way of example in Figure 1 as 
the fourth time t3, the contents of the access status memory unit ZSEl(t3) are firstly 
checked for the presence of a task change information item WL If no task change 
information item WI has been input in the access status memory unit ZSEl(t3), the 
currently accessing, first user task Tl inputs the release information item FI instead of 
the present blocking information item SI, and the secure access gz is thus terminated; 
i.e., the currently accessing, first user task Tl can then be interrupted again. The 
currently accessing, first user task Tl can then access the processor until the task 
scheduler BST provides for a task change TW; i.e., the time of use of the processor 
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which is assigned to the first user task Tl by the task scheduler BST has expired or a 
task change request TWA is indicated to the task scheduler BST by an external event 
EE. 

If, on the other hand, a task change information item WI is input, a task change 
request TWA is directly indicated to the task scheduler BST, as illustrated in Figure 1, 
so that, after the processing of the associated technical operating tasks, it can be used 
to carry out a task change TW. hi addition, the release information item FI is input 
into the access status memory unit ZSEl(t3) by the first user task Tl instead of the 
input task change information item WI and after the secure access gz has been 
terminated, the time monitoring system TM is deactivated. Furthermore, the task 
scheduler BST which is executed in the supervisor mode SM extracts the processor 
from the first user task Tl and changes it to the waiting state. 

Then, in the time period between the fourth and the fifth times t3, t3\ the 
technical operating tasks which are provided by the task scheduler BST for a task 
change TW are processed within the supervisor mode; i.e., a task change TW is carried 
out by the operating system. For the execution of the second user task T2 which the 
processor has assigned at that particular time, the processor is switched over into the 
user mode and the second user task T2 can thus be assigned to the processor starting 
from the fifth time t3\ 

Although the present invention has been described with reference to specific 
embodiments, those of skill in the art will recognize that changes may be made thereto 
without departing from the spirit and scope of the invention as set forth in the hereafter 
appended claims. 

ABSTRACT OF THE DISCLOSURE 

A method for secure access to at least one variable in a preemptively 
multitasking-controlled processor system wherein a blocking information item is input 
into an access status memory by an accessing task before a current access to at least 
one variable, and when there is a task change intended by a task scheduler during the 
secured current access a task change information item is input into the access status 
memory using the task scheduler. At the end of the current access, a release 
information item is input into the access status memory and the delayed task change is 
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initiated by the currently accessing task when a task change information item has been 
input. 

In the claims : 

On page 12, cancel line 1, and substitute the following left-hand justified 
heading therefor: 
I Claim as My Invention : 

Please cancel claims 1-6, without prejudice, and substitute the following claims 
therefor: 

7. A method for secure access to at least one variable in a preemptively 
multitasking-controlled processor system, the method comprising the steps of: 
providing a task scheduler for processing tasks; 
providing an access status memory; 

inputting, via an accessing task, a blocking information item into the access 
status memory before the secure access to the at least one variable; 

checking, via the task scheduler and when there is a task change intended by 
the task scheduler during the secure access, the access status memory for an input 
blocking information item; 

delaying the intended task change via the task scheduler when the blocking 
information item is input; 

inputting a task change information item using the input blocking information 

item; 

inputting, via the currently accessing task, a release information item into the 
access status memory at the end of the secure access; and 

initiating the intended task change, via the currently accessing task, when the 
task change information item is input. 

8. A method for secure access to at least one variable in a preemptively 
multitasking-controlled processor system as claimed in claim 7, the method further 
comprising the steps of: 

activating a time monitoring system having a time period of at least a duration 
of the secure access; and 

terminating the secure access after the expiration of the defined time period. 
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9. A method for secure access to at least one variable in a preemptively 
multitasking-controlled processor system as claimed in claim 8, the method further 
comprising the steps of: 

checking contents of the access status memory at the end of the secure access 
and before the inputting of the release information item; and 

deactivating the activated time monitoring system when the task change 
information item is present and transmitting a technical operating information item 
which initiates the intended task change to the task scheduler by the currently 
accessing task. 

10. A method for secure access to at least one variable in a preemptively 
multitasking-controlled processor system as claimed in claim 7, the method further 
comprising the step of: 

overwriting contents of the access status memory by the inputting of at least 
one of the blocking information item, the task change information item and the release 
information item into the access status memory. 

11. A method for secure access to at least one variable in a preemptively 
multitasking-controlled processor system as claimed in claim 7, the method further 
comprising the step of: 

forming the blocking information item, the task change information item and 
the release information item by at least one single-bit information item. 

12. A method for secure access to at least one variable in a preemptively 
multitasking-controlled processor system as claimed in claim 7, the method further 
comprising the step of: 

representing a variable by one of a variable of a software module which is 
stored in a memory unit and a hardware-related setting information item which is 
stored in a hardware register. 
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REMARKS 



The present amendment makes editorial changes and corrects typographical 
errors in the specification, which includes the Abstract, in order to conform the 
specification to the requirements of United States Patent Practice. No new matter is 
added thereby. Attached hereto is a marked-up version of the changes made to the 
specification by the present amendment. The attached page is captioned " Version 
With Markings To Show Changes Made". 

In addition, the present amendment cancels original claims 1-6 in favor of new 
claims 7-12. Claims 7-12 have been presented solely because the revisions by crossing 
out underlining which would have been necessary in claims 1-6 in order to present 
those claims in accordance with preferred United States Patent Practice would have 
been too extensive, and thus would have been too burdensome. The present 
amendment is intended for clarification purposes only and not for substantial reasons 
related to patentability pursuant to 35 U.S.C. §§103, 102, 103 or 112. Indeed, the 
cancellation of claims 1-6 does not constitute an intent on the part of the Applicants to 
surrender any of the subject matter of claims 1-6. 

Early consideration on the merits is respectfully requested. 



William E. Vauggan 
Bell, Boyd & Lloyd LLC 
P.O. Box 1135 

Chicago, Illinois 60690-1135 
(312) 807-4292 
Attorneys for Applicants 
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VERSIONS WITH MARKINGS TO SHOW CHANGES MADE 
In The Specification : 

The Specification of the present application, including the Abstract, has been 
amended as follows: 
5 SPECIFICATION 

TITLE 

M e thod for socuro access to at least ono variable 
in a preemptively multitasking controlled processor system 
MULTITASKING-CONTROLLED PROCESSOR SYSTEM 

10 BACKGROUND OF THE INVENTION 

Description 
Field of the Invention 

In existing and future information processing systems, for e xampl e such as 
personal computers, software objects usually {also referred to as processes) - are and 

15 will be administered using the operating system in such a way that the hardware 
system, in particular the process-processing device which is provided in the 
information processing system, for example such as the processor, is utilized uniformly 
with the aim of high overall efficiency. In this way, the software modules which are 
assigned to the processor by the operating system - ( usually also referred to as tasks) - 

20 are processed by the processor. Here, special operating systems, for example Windows 
95, are provided for the information processing systems which have a monoprocessor, 
i.e. the information processing system has just one processor, said the operating 
systems also permitting multi-user operation or multiple-process operation on a 
monoprocessor - see in this respect in particular "Architektur von Betriebssystemen" 

25 [Architecture of Operating Systems], H. Wetterstein, Hanser Studien Bucher 

[publishing house], 1984, pp. 54 et seq. The operating mode which is required for the 
multiple-process operation of a processor is known in the specialist field under the 
term "multiprogramming" or else "multitasking". In this way, during the execution of 
a task the information processing system can also carry out a further task such as the 

30 reading of data from a storage medium of the information processing system or x for 
example^ the displaying of data on a data viewing station in a "quasiparallel" fashion. 
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Furthermore, a distinction is made between "cooperative" and "preemptive" 
multitasking. In the case of "cooperative" multitasking, each individual currently 
executed task itself determines, according to requirements, the time period for which it 
takes up the processor^; i.e.,, the currently running task decides on the time when the 
5 processor is released for the processing of further tasks. In the case of "preemptive" 
multitasking, a task of the operating system, known in the specialist field as 
"scheduler"^ or even "task scheduler",, interrupts the currently executed task after a 
predefined or assigned time period has finished^; i.e.^ the time when the processor is 
assigned and released is determined using the task scheduler. 

10 In order to execute a function of the operating system, & for example an 

operating system task such as the task scheduler, a special operating mode of the 
processor for protecting the data of the operating system task is provided which is 
known as supervisor or kernel mode - see in particular Andrew S. Tanenbaum, 
"Betriebssysteme - Entwurf und Realisierung" [Operating Systems - Design and 

15 Implementation] part 1, Prentice- Hall International, 1990, pp 31/32. To do this, the 

processor is switched over using a supervisor call from a user mode into the supervisor 
mode and the control of the processor is thus transferred to the operating system or its 
tasks. In contrast with the supervisor mode, not all instructions are acceptable in the 
user mode, inter alia, in the user mode the use of input and output instructions and of 

20 some special instructions is prohibited. Likewise, in the user mode the access to all the 
data is generally not possible, i^ for example the data of the operating system can 
neither be read nor amended for non-operating system tasks. 

Specifically in the case of information processing systems which act according 
to the multitasking principle, variables or blocks of variables which are accessed 

25 during the processing of a task must be protected against competing accesses, for 
example by further tasks. This ensures that, for example, the errors occurring during 
dual simultaneous variable access cannot lead to any blockages of further tasks or of 
the entire information processing system. Such a protection mechanism is described 
below using the formulation "secured access" to at least one variable, and the term 

30 variable can refer here both to a variable of a software module which is stored in a 
memory unit and to a hardware-related setting information item which is stored in a 
hardware register. Such secured accesses frequently take place when specific problems 
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are posed, for example in information systems which are used to control real time 
systems but must also access data which can be administrated, and are of short 
duration in comparison to the average time period between two successive task 
changes. Consequently, the probability of a task change during a secure access is very 
5 low, but cannot at all be excluded. 

The implementation of a "secure access" by a task can be carried out using 
various protection mechanisms. This includes, inter alia, the setting of a task change 
inhibit in order to avoid a competing access by a further task to the variables which are 
being accessed by the task currently running on the processor. To do this, before the 

10 variables to be read are accessed using a supervisor call, the processor is switched over 
into the supervisor mode and the setting of a task change inhibit is requested from the 
operating system in order to obtain exclusive access for the processor, and thus also for 
the desired variable, for the currently accessing task. Then, the processor is switched 
back into the user mode and the desired access to the variable can be secured by the 

15 previously interrupted task?; i.e^ without interruption. After termination of the secure 
access by the currently running task, it is necessary to change again into the supervisor 
mode by means of via a supervisor call and for the task change inhibit to be reset by 
the operating system in said the supervisor mode. In order to further process the task 
which is currently to be processed, the processor is then changed back into the user 

20 mode and the time monitoring activated during the setting of the task change inhibit is 
deactivated in order to avoid the processor being blocked for an indeterminately long 
time. 

A further method of implementing a secure access is used in the 
synchronization of tasks, i.e. the coordination of a plurality number of tasks which 

25 alternately access the processor, in order to avoid the conflicts which occur in the 
multitasking mode. Here, the semaphore technique is frequently used for the 
synchronization of the individual tasks. According to its mathematical-theoretical 
definition, a semaphore is an integral, non-negative variable associated with a queue. 
Here, the initial value of the semaphore defines how many tasks can be located 

30 simultaneously in a secured section controlled by a semaphore. The queue contains the 
tasks which wait for the secured section to be entered. To do this, a semaphore is 
checked and modified by the currently running task in order to implement the secure 
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access to a variable by moans of via an uninterruptible read/write cycle. If, for 
example, this semaphore is greater than zero, it is decremented and the secure access to 
the desired variable is subsequently carried out by the currently running task. If the 
semaphore is already equal to zero, the task which requests a secure access is changed 
5 into the waiting state and the semaphore variable is not changed. At the end of the 
secure access to the variable, it is checked whether tasks are waiting on this 
semaphore, and if appropriate, one of the tasks located in the waiting state is activated^ 
i.e. A the processor is assigned. If there is no task waiting on the semaphore, the 
semaphore is incremented again by moans of an uninterruptible read/write cycle. 

10 These uninterruptible read/write cycles to the semaphore variable can e ith e r be 

implemented, in a way similar to the method of the task change inhibit, by a supervisor 
call and the subsequent handling by the operating system or in the user mode with 
special support by the processor hardware and processor bus hardware. Here too, time 
monitoring, whose function consists in avoiding the processor being blocked for a 

15 longer than average time, is provided for the duration of the secure access. 

In the previously described implementations of a secure access to variables, a 
plurality number of operating mode changes including the associated technical 
operating task processing or special support by processor hardware and processor bus 
hardware are necessary during each access?; i.e.,, secure accesses to variables increase 

20 the loading on the processor or require additional and specially supporting hardware. 

: ¥be An object en to which the present invention is bas e d consists directed lies 
in improving the implementation of a secure access to at least one variable in a 
preemptively multitasking-controlled processor system. Th e object is achi e ved by 
means of th e features of patent claim L 

25 SUMMARY OF THE INVENTION 

Th o ossontial An aspect of the method according to the present invention is that 
an access status memory is provided in a preemptively multitasking-controlled 
processor system for secure access to at least one variable, into which access status 
memory a blocking information item is input by the accessing task before a current 

30 access to at least one variable. Furthermore, when there is a task change intended by 
the task scheduler during the current access, the task scheduler checks the access status 
memory for a blocking information item which has been input and when the blocking 
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information item has been input the task scheduler delays the intended task change. 
Finally, the task change information item is input into the access status memory using 
said the blocking information item. At the end of the current access, a release 
information item is input into the access status memory by the currently accessing task 
5 (K) and when a task change information item is input 

the requested task change is initiated by the currently accessing task (fcl-). The use of an 
additional access status memory has the advantage that the switching over of the 
processor into the supervisor mode^ which, for example, is necessary with the task 
changing inhibit method, and the subsequent execution of an operating system task are 

10 dispensed with, and a considerable dynamic relieving of the loading on the processor is 
thus achieved, especially since secure accesses to variables occur very frequently when 
certain problems which occur during the operation of an information processing system 
arise. In addition, the inputting of the blocking information item, the task change 
information item or the release information item requires only a few machine 

1 5 instructions and is thus easy to implement in terms of programming technology. 
Furthermore, in the method according to the present invention, in contrast to the 
semaphore technique, no additional hardware support in the form of processor 
hardware or processor bus hardware is necessary, which leads to a cost-effective 
implementation of the secure access to variables which is not tied to specific hardware. 

20 Furthermore, during the secure access the accessing task is advantageously not 

interrupted by a task change which is intended by a further task, and in addition the 
intended task change is not rejected but rather delayed so that after the evaluation of 
the task change information item at the end of the secure access the intended task 
change can be directly retrieved by the task scheduler. 

25 A further essential aspect of the method according to the present invention is 

that^ in addition to inputting the task change information item,, a time monitoring 
system with a time period comprising of at least the duration of the secure access is 
activated, and that the current access is terminated after the expiry expiration of the 
defined time period claim 2 . The time monitoring system in the method according to 

30 the present invention is advantageously not generally activated during the initialization 
of a secure access but rather only when there is a task change intended during the 
current access, and the dynamic loading, which is usually necessary during the use of 

395638/D/2 C2BM02_ 17 



the already known methods, for example semaphore technique or the setting of a task 
change inhibit, is thus dispensed with. This leads to an additional dynamic relieving of 
the load on the information processing system or the processor. 

According to a further rofinomont embodiment of the method according to the 
5 present invention, the contents of the access status memory are checked at the end of 
the secure access and before the inputting of the release information item so that when 
a task change information item is present^ the activated time monitoring system is 
deactivated and a technical operating information item which initiates the intended task 
change is transmitted to the task scheduler by the currently accessing task claim 3 . 
10 The checking of the contents of the access status memory advantageously ensures that, 
directly after termination of the secure access, the task scheduler is informed about the 
intended task change which is indicated by the task change information item, because 
without the indication of the technical operating information item which indicates the 
intended task change,, the task scheduler would not carry out the delayed task change. 
1 5 Instead, the intended task change would be carried out at the time at which the 

currently accessing task is interrupted by the task scheduler^ i.e.^ the intended task 
change would be unnecessarily delayed beyond the time period of the secure access. 

Furth e r advantageous r e fin e ments of the m e thod according to the invention can 
bo found in tho furth e r claims. 
20 Tho method according to the invention will be explained in moro detail bolow 

with r e ferenc e to a figure. 

Additional features and advantages of the present invention are described in, 
and will be apparent from, the following Detailed Description of the Preferred 
Embodiments and the Drawings. 
25 DESCRIPTION OF THE DRAWINGS 

Figure 1 shows a schematic diagram of an information processing system to 
which the method of the present invention is directed. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 
In Figure 1, a first and a second user task Tl, T2 and an operating system task 
30 BST are represented^ by way of example^ according to their processing over time by 
the processor of an information processing system which acts according to the 
preemptive multitasking method. Furthermore, a supervisor mode SM and a user 
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mode UM of the processor and the associated tasks are indicated by two separate areas. 
Here, in the supervisor mode SMi the operating system task BST, later also called 
scheduler or task scheduler BST, is represented for processing by the processor, and in 
the user mode a first and a second user task Tl, T2 for the processing by the processor 
5 are illustrated by way of example. A task which is currently in the waiting state,, - for 
example in particular the operating system task BST at the time zero in fFigure 1 T and 
the second user task T2 A - is indicated using a broken line designated by BST and T2, 
and a currently executed task^ - the first user task Tl at the time zero in Figure 1 A - is 
indicated by an unbroken line designated by Tl. 

10 In order to represent the timing sequence of the method according to the present 

invention of a secure access gz to at least one variable, a time axis t is provided on 
which a first, second, third, fourth and fifth time tl, t2, t2\ t3, t3' are marked. 
Furthermore, a memory unit SE1 with an access status memory unit ZSE1 at the first, 
third and fourth time tl, t2', t3 is illustrated, information relating to the first, currently 

15 running task Tl being input in the memory unit ZSE1, and the memory can be 

implemented, for example, as part of a volatile memory. According to the method 
according to of the present invention, inter alia, a blocking information item SI, a task 
change information item WI and a release information item FI can be input into the 
access status memory unit ZSE1 which is assigned to the first, currently running user 

20 taskTl. 

Furthermore, the duration of a secure access gz to at least one variable by the 
first user task Tl, which extends from the first time tl to the fourth time t3, is 
illustrated. At the time zero, the first user task Tl is already currently assigned to the 
processor and the second user task T2 and the operating system task BST are in the 

25 waiting state. At the first time tl, the first user task Tl initializes a secure access to at 
least one variable^; i.e.., the blocking information item SI is input into the access status 
memory unit ZSEl(tl) by the first user task Tl instead of the release information item 
FI which is input into it. Then, the first, currently executed user task Tl is in an 
uninterruptible execution state and can, thus a access the desired variables in a secured 

30 fashion. 

At a later, second time t2, a task change request TWA is indicated as a result, 
for example, of an external event EE, for example the presence of external messages or 
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as a result of the time period which is assigned to the first user task Tl by the task 
scheduler BST being exceeded, and the currently executed, first user task Tl is then 
changed into a quasi-waiting state wz by the task scheduler BST. Then, before the task 
scheduler BST initiates a task change TW after the task change request TWA has been 
5 received, said toe task scheduler BST checks the contents of the access status memory 
unit ZSE1 (t2'). If a blocking information item SI relating to a third time t2' is input in 
the access memory unit ZSEl(t2') for the currently executed, first user task Tl, the 
requested task change TWA is delayed by the task scheduler BST and instead of the 
blocking information SI a task change information item WI is input into the access 

10 status memory unit ZSEl(t2'). Then, the first, currently executed user task Tl is 
further processed and the quasi-waiting state wz is thus terminated again by the task 
scheduler BST. The first user task Tl can thus carry on the secure access (gz) for the 
desired variables without it being forced to release the processor by the task scheduler 
BST. In addition, at the third time t2\ the task scheduler BST activates a time 

15 monitoring system TM in order to avoid the processor being blocked by the secure 
access gz of the first user task Tl for an unacceptably long time. 

At the end of the secure access gz a - indicated by way of example in Figure 1 as 
the fourth time t3 A - the contents of the access status memory unit ZSEl(t3) are firstly 
checked for the presence of a task change information item WI. If no task change 

20 information item WI has been input in the access status memory unit ZSEl(t3), the 

currently accessing, first user task Tl inputs the release information item FI instead of 
the present blocking information item SI, and the secure access gz is thus terminated^; 
i.e.^ the currently accessing, first user task Tl can then be interrupted again. The 
currently accessing, first user task Tl can then access the processor until the task 

25 scheduler BST provides for a task change TW 7 ; i.e. a the time of use of the processor 
which is assigned to the first user task Tl by the task scheduler BST has expired or a 
task change request TWA is indicated to the task scheduler BST by an external event 
EE. 

If, on the other hand, a task change information item WI is input, a task change 
30 request TWA is directly indicated to the task scheduler BST A - as illustrated in 

Figure l a - so that, after the processing of the associated technical operating tasks, it 
can be used to cany out a task change TW. In addition, the release information item FI 
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is input into the access status memory unit ZSEl(t3) by the first user task Tl instead of 
the input task change information item WI and after the secure access gz has been 
terminated,, the time monitoring system TM is deactivated. Furthermore, the task 
scheduler BST which is executed in the supervisor mode SM extracts the processor 
5 from the first user task Tl and changes it to the waiting state. 

Then, in the time period between the fourth and the fifth times t3, t3\ the 
technical operating tasks which are provided by the task scheduler BST for a task 
change TW are processed within the supervisor mode ? ; i.e. A a task change TW is 
carried out by the operating system. For the execution of the second user task T2 which 

10 the processor has assigned at that particular time, the processor is switched over into 
the user mode and the second user task T2 can thus be assigned to the processor 
starting from the fifth time t3\ 

Although the present invention has been described with reference to specific 
embodiments, those of skill in the art will recognize that changes may be made thereto 

15 without departing from the spirit and scope of the invention as set forth in the hereafter 
appended claims. 
Abstract 

ABSTRACT OF THE DIS CLOSURE 

A Mmethod for secure access to at least one variable in a preemptively 
20 multitasking-controlled processor system wherein Aa blocking information item (Si) is 
input into an access status memory (ZSE1) by the an accessing task before a 
current access to at least one variable^ Furth e rmore, and when there is a task change 
intended by a task scheduler (BST) during the secured^ current access a task change 
information item £WJ) is input into the access status memory (ZSE1) using the task 
25 scheduler (BST) . At the end of the current access, a release information item (FI) is 
input into the access status memory (ZSE1) and the delayed task change (TWA) is 
initiated by the currently accessing task (T4) when a task change information item (Wf> 
has been input. 

30 Figur e 
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Description 

Method for secure access to at least one variable in a 
preemptively multitasking-controlled processor system 

In existing and future information processing systems, 
for example personal computers, software objects 
usually also referred to as processes - are and will be 
administered using the operating system in such a way 
that the hardware system, in particular the process- 
processing device which is provided in the information 
processing system, for example the processor, is 
utilized uniformly with the aim of high overall 
efficiency. In this way, the software modules which are 
assigned to the processor by the operating system - 
usually also referred to as tasks - are processed by 
the processor. Here, special operating systems, for 
example Windows 95, are provided for the information 
processing systems which have a monoprocessor , i.e. the 
information processing system has just one processor, 
said operating systems also permitting multi-user 
operation or multiple-process operation on a 
monoprocessor - see in this respect in particular 
"Architektur von Betriebssystemen" [Architecture of 
Operating Systems], H. Wetterstein, Hanser Studien 
Bucher [publishing house], 1984, pp. 54 et seq. The 
operating mode which is required for the multiple- 
process operation of a processor is known in the 
specialist field under the term "multiprogramming" or 
else "multitasking". In this way, during the execution 
of a task the information processing system can also 
carry out a further task such as the reading of data 
from a storage medium of the information processing 
system or for example the displaying of data on a data 
viewing station in a "quasiparallel" fashion. 



Furthermore, 



a 



distinction 



is 



made 



between 
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"cooperative" and "preemptive" multitasking. In the 
case of "cooperative" multitasking, each individual 
currently executed task itself determines, according to 
requirements, the time period for which it takes up the 
processor, i.e. the 
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currently running task decides on the time when the 
processor is released for the processing of further 
tasks. In the case of "preemptive" multitasking, a task 
of the operating system, known in the specialist field 
as "scheduler", or even "task scheduler" interrupts the 
currently executed task after a predefined or assigned 
time period has finished, i.e. the time when the 
processor is assigned and released is determined using 
the task scheduler. 

In order to execute a function of the operating 
system, i.e. for example an operating system task such 
as the task scheduler, a special operating mode of the 
processor for protecting the data of the operating 
system task is provided which is known as supervisor or 
kernel mode - see in particular Andrew S. Tanenbaum, 
"Betriebssysteme - Entwurf und Realisierung" [Operating 
Systems - Design and Implementation] part 1, Prentice- 
Hall International, 1990, pp 31/32. To do this, the 
processor is switched over using a supervisor call from 
a user mode into the supervisor mode and the control of 
the processor is thus transferred to the operating 
system or its tasks. In contrast with the supervisor 
mode, not all instructions are acceptable in the user 
mode, inter alia, in the user mode the use of input and 
output instructions and of some special instructions is 
prohibited. Likewise, in the user mode the access to 
all the data is generally not possible, i.e. for 
example the data of the operating system can neither be 
read nor amended for non-operating system tasks. 

Specifically in the case of information 
processing systems which act according to the 
multitasking principle, variables or blocks of 
variables which are accessed during the processing of a 
task must be protected against competing accesses, for 
example by further tasks. This ensures that, for 
example, the errors occurring during dual simultaneous 
variable access cannot lead to any blockages of further 
tasks or of the entire 
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information processing system. Such a protection 
mechanism is described below using the formulation 
"secured access" to at least one variable, and the term 
variable can refer here both to a variable of a 
software module which is stored in a memory unit and to 
a hardware-related setting information item which is 
stored in a hardware register. Such secured accesses 
frequently take place when specific problems are posed, 
for example in information systems which are used to 
control real time systems but must also access data 
which can be administrated, and are of short duration 
in comparison to the average time period between two 
successive task changes . Consequently, the probability 
of a task change during a secure access is very low, 
but cannot at all be excluded. 

The implementation of a "secure access" by a 
task can be carried out using various protection 
mechanisms. This includes, inter alia, the setting of a 
task change inhibit in order to avoid a competing 
access by a further task to the variables which are 
being accessed by the task currently running on the 
processor. To do this, before the variables to be read 
are accessed using a supervisor call, the processor is 
switched over into the supervisor mode and the setting 
of a task change inhibit is requested from the 
operating system in order to obtain exclusive access 
for the processor, and thus also for the desired 
variable, for the currently accessing task. Then, the 
processor is switched back into the user mode and the 
desired access to the variable can be secured by the 
previously interrupted task, i.e. without interruption. 
After termination of the secure access by the currently 
running task, it is necessary to change again into the 
supervisor mode by means of a supervisor call and for 
the task change inhibit to be reset by the operating 
system in said mode. In order to further process the 
task which is currently to be processed, 
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the processor is then changed back into the user mode 
and the time monitoring activated during the setting of 
the task change inhibit is deactivated in order to 
avoid the processor being blocked for an 
indeterminately long time. 

A further method of implementing a secure 
access is used in the synchronization of tasks, i.e. 
the coordination of a plurality of tasks which 
alternately access the processor, in order to avoid the 
conflicts which occur in the multitasking mode. Here, 
the semaphore technique is frequently used for the 
synchronization of the individual tasks. According to 
its mathematical-theoretical definition, a semaphore is 
an integral, non-negative variable associated with a 
queue. Here, the initial value of the semaphore defines 
how many tasks can be located simultaneously in a 
secured section controlled by a semaphore. The queue 
contains the tasks which wait for the secured section 
to be entered. To do this, a semaphore is checked and 
modified by the currently running task in order to 
implement the secure access to a variable by means of 
an uninterruptible read/write cycle. If, for example, 
this semaphore is greater than zero, it is decremented 
and the secure access to the desired variable is 
subsequently carried out by the currently running task. 
If the semaphore is already equal to zero, the task 
which requests a secure access is changed into the 
waiting state and the semaphore variable is not 
changed. At the end of the secure access to the 
variable, it is checked whether tasks are waiting on 
this semaphore, and if appropriate, one of the tasks 
located in the waiting state is activated, i.e. the 
processor is assigned. If there is no task waiting on 
the semaphore, the semaphore is incremented again by 
means of an uninterruptible read/write cycle. These 
uninterruptible read/write cycles to the semaphore 
variable can either be implemented, in a way similar to 
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the method of the task change inhibit, by a supervisor 
call and the subsequent handling by the operating 
system or in the user mode with special 
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support by the processor hardware and processor bus 
hardware. Here too, time monitoring, whose function 
consists in avoiding the processor being blocked for a 
longer than average time, is provided for the duration 
of the secure access. 

In the previously described implementations of 
a secure access to variables, a plurality of operating 
mode changes including the associated technical 
operating task processing or special support by 
processor hardware and processor bus hardware are 
necessary during each access, i.e. secure accesses to 
variables increase the loading on the processor or 
require additional and specially supporting hardware. 

The object on which the invention is based 
consists in improving the implementation of a secure 
access to at least one variable in a preemptively 
multitasking-controlled processor system. The object is 
achieved by means of the features of patent claim 1. 

The essential aspect of the method according to 
the invention is that an access status memory is 
provided in a preemptively multitasking-controlled 
processor system for secure access to at least one 
variable, into which access status memory a blocking 
information item is input by the accessing task before 
a current access to at least one variable. Furthermore, 
when there is a task change intended by the task 
scheduler during the current access, the task scheduler 
checks the access status memory for a blocking 
information item which has been input and when the 
blocking information item has been input the task 
scheduler delays the intended task change. Finally, the 
task change information item is input into the access 
status memory using said blocking information item. At 
the end of the current access, a release information 
item is input into the access status memory by the 
currently accessing task (Tl) and when a task change 
information item is input 

AMENDED PAGE 



GR 99 P 1129 

- 6 - 

the requested task change is initiated by the currently 
accessing task (tl) . The use of an additional access 
status memory has the advantage that the switching over 
of the processor into the supervisor mode, which, for 
example, is necessary with the task changing inhibit 
method, and the subsequent execution of an operating 
system task are dispensed with, and a considerable 
dynamic relieving of the loading on the processor is 
thus achieved, especially since secure accesses to 
variables occur very frequently when certain problems 
which occur during the operation of an information 
processing system arise. In addition, the inputting of 
the blocking information item, the task change 
information item or the release information item 
requires only a few machine instructions and is thus 
easy to implement in terms of programming technology. 
Furthermore, in the method according to the invention, 
in contrast to the semaphore technique, no additional 
hardware support in the form of processor hardware or 
processor bus hardware is necessary, which leads to a 
cost-effective implementation of the secure access to 
variables which is not tied to specific hardware. 
Furthermore, during the secure access the accessing 
task is advantageously not interrupted by a task change 
which is intended by a further task, and in addition 
the intended task change is not rejected but rather 
delayed so that after the evaluation of the task change 
information item at the end of the secure access the 
intended task change can be directly retrieved by the 
task scheduler. 

A further essential aspect of the method 
according to the invention is that in addition to 
inputting the task change information item a time 
monitoring system with a time period comprising at 
least the duration of the secure access is activated, 
and that the current access is terminated after the 
expiry of the defined time period - claim 2. The time 
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monitoring system in the method according to the 
invention is advantageously not generally activated 
during the initialization of a secure access but rather 
only when there is a task change intended during the 
current access, and 
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the dynamic loading, which is usually necessary during 
the use of the already known methods, for example 
semaphore technique or the setting of a task change 
inhibit, is thus dispensed with. This leads to an 
additional dynamic relieving of the load on the 
information processing system or the processor. 

According to a further refinement of the method 
according to the invention, the contents of the access 
status memory are checked at the end of the secure 
access and before the inputting of the release 
information item so that when a task change information 
item is present the activated time monitoring system is 
deactivated and a technical operating information item 
which initiates the intended task change is transmitted 
to the task scheduler by the currently accessing task - 
claim 3. The checking of the contents of the access 
status memory advantageously ensures that, directly 
after termination of the secure access, the task 
scheduler is informed about the intended task change 
which is indicated by the task change information item, 
because without the indication of the technical 
operating information item which indicates the intended 
task change the task scheduler would not carry out the 
delayed task change. Instead, the intended task change 
would be carried out at the time at which the currently 
accessing task is interrupted by the task scheduler, 
i.e. the intended task change would be unnecessarily 
delayed beyond the time period of the secure access. 

Further advantageous refinements of the method 
according to the invention can be found in the further 
claims . 

The method according to the invention will be 
explained in more detail below with reference to a 
figure . 



AMENDED PAGE 



GR 99 P 1129 

- 7a - 

The method according to the invention will be 
explained in more detail below with reference to a 
figure . 
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In Figure 1, a first and a second user task Tl, 
T2 and an operating system task BST are represented by 
way of example according to their processing over time 
by the processor of an information processing system 
which acts according to the preemptive multitasking 
method. Furthermore, a supervisor mode SM and a user 
mode UM of the processor and the associated tasks are 
indicated by two separate areas. Here, in the 
supervisor mode SM the operating system task BST, later 
also called scheduler or task scheduler BST, is 
represented for processing by the processor, and in the 
user mode a first and a second user task Tl, T2 for the 
processing by the processor are illustrated by way of 
example. A task which is currently in the waiting 
state - for example in particular the operating system 
task BST at the time zero in figure 1, and the second 
user task T2 - is indicated using a broken line 
designated by BST and T2, and a currently executed 
task - the first user task Tl at the time zero in 
Figure 1 - is indicated by an unbroken line designated 
by Tl. 

In order to represent the timing sequence of 
the method according to the invention of a secure 
access gz to at least one variable, a time axis t is 
provided on which a first, second, third, fourth and 
fifth time tl, t2, t2', t3, t3' are marked. 
Furthermore, a memory unit SE1 with an access status 
memory unit ZSE1 at the first, third and fourth time 
tl, t2', t3 is illustrated, information relating to the 
first, currently running task Tl being input in the 
memory unit ZSE1, and the memory can be implemented, 
for example, as part of a volatile memory. According to 
the method according to the invention, inter alia, a 
blocking information item SI, a task change information 
item WI and a release information item FI can be input 
into the access status memory unit ZSE1 which is 
assigned to the first, currently running user task Tl. 



GR 99 P 1129 

- 9 - 

Furthermore, the duration of a secure access gz 
to at least one variable by the first user task Tl, 
which extends from the first time tl to the fourth time 
t3, is illustrated. At the time zero, the first user 
task Tl is already currently assigned to the processor 
and the second user task T2 and the operating system 
task BST are in the waiting state. At the first time 
tl, the first user task Tl initializes a secure access 
to at least one variable, i.e. the blocking information 
item SI is input into the access status memory unit 
ZSEl(tl) by the first user task Tl instead of the 
release information item FI which is input into it. 
Then, the first, currently executed user task Tl is in 
an uninterruptible execution state and can thus access 
the desired variables in a secured fashion. 

At a later, second time t2, a task change 
request TWA is indicated as a result, for example, of 
an external event EE, for example the presence of 
external messages or as a result of the time period 
which is assigned to the first user task Tl by the task 
scheduler BST being exceeded and the currently 
executed, first user task Tl is then changed into a 
quasi-waiting state wz by the task scheduler BST. Then, 
before the task scheduler BST initiates a task change 
TW after the task change request TWA has been received, 
said task scheduler BST checks the contents of the 
access status memory unit ZSEl(t2'). If a blocking 
information item SI relating to a third time t2' is 
input in the access memory unit ZSEl(t2') for the 
currently executed, first user task Tl, the requested 
task change TWA is delayed by the task scheduler BST 
and instead of the blocking information SI a task 
change information item WI is input into the access 
status memory unit ZSEl(t2'). Then, the first, 
currently executed user task Tl is further processed 
and the quasi-waiting state wz is thus terminated again 
by the task scheduler BST. The first user task Tl can 
thus 
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carry on the secure access (gz) for the desired 
variables without it being forced to release the 
processor by the task scheduler BST . In addition, at 
the third time t2 ' , the task scheduler BST activates a 
time monitoring system TM in order to avoid the 
processor being blocked by the secure access gz of the 
first user task Tl for an unacceptably long time. 

At the end of the secure access gz - indicated 
by way of example in Figure 1 as the fourth time 
t3 - the contents of the access status memory unit 
ZSE1 (t3) are firstly checked for the presence of a task 
change information item WI . If no task change 
information item WI has been input in the access status 
memory unit ZSEl(t3), the currently accessing, first 
user task Tl inputs the release information item FI 
instead of the present blocking information item SI, 
and the secure access gz is thus terminated, i.e. the 
currently accessing, first user task Tl can then be 
interrupted again. The currently accessing, first user 
task Tl can then access the processor until the task 
scheduler BST provides for a task change TW, i.e. the 
time of use of the processor which is assigned to the 
first user task Tl by the task scheduler BST has 
expired or a task change request TWA is indicated to 
the task scheduler BST by an external event EE. 

If, on the other hand, a task change 
information item WI is input, a task change request TWA 
is directly indicated to the task scheduler BST - as 
illustrated in Figure 1 - so that, after the processing 
of the associated technical operating tasks, it can be 
used to carry out a task change TW. In addition, the 
release information item FI is input into the access 
status memory unit ZSEl(t3) by the first user task Tl 
instead of the input task change information item WI 
and after the secure access gz has been terminated the 
time monitoring system TM is deactivated. Furthermore, 
the task scheduler BST which is executed in the 
supervisor mode SM 
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extracts the processor from the first user task Tl and 
changes it to the waiting state. 

Then, in the time period between the fourth and 
the fifth times t3, t3' , the technical operating tasks 
5 which are provided by the task scheduler BST for a task 
change TW are processed within the supervisor mode, 
i.e. a task change TW is carried out by the operating 
system. For the execution of the second user task T2 
which the processor has assigned at that particular 
10 time, the processor is switched over into the user mode 
and the second user task T2 can thus be assigned to the 
processor starting from the fifth time t3' . 
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1. A method for secure access (gz) to at least one 
variable in a preemptively multitasking-controlled 

5 processor system, a task scheduler (BST) being provided 
for processing the tasks (Tl, T2), 

in which an access status memory (ZSE1) is provided 

into which a blocking information item (SI) is 
input by the accessing task (Tl) before a current 

10 access (gz) to at least one variable, 

in which when there is a task change (TW) intended 
by the task scheduler (BST) during the current 
access (gz) , the task scheduler (BST) checks the 
access status memory (ZSEl) for an input blocking 

15 information item (SI) and when the blocking 

information item (SI) is input the task scheduler 
(BST) delays the intended task change (TWA) and a 
task change information item (WI) is input using 
said blocking information item (SI) , and 

20 - into which a release information item (FI) is 
input by the currently accessing task (Tl) at the 
end of the current access (gz) , and when a task 
change information item (WI) is input the intended 
task change (TWA) is initiated by the currently 

25 accessing task (Tl). 

2. The method as claimed in claim I, characterized 
in that in addition to inputting the task change 
information item (WI) a time monitoring system (TM) 
with a time period comprising at least the duration of 

30 the secure access (gz) is activated, and that the 
current access (gz) is terminated after the expiry of 
the defined time period. 

3. The method as claimed in claim 2, characterized 
in that at the end of the secure access (gz) and before 

35 the inputting of the release information item (FI) the 
contents of the access status memory (ZSE) are checked 
so that when a 
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task change information item (WI) is present the 
activated time monitoring system (TM) is deactivated 
and a technical operating information item which 
initiates the intended task change is transmitted to 
the task scheduler (BST) by the currently accessing 
task (Tl) . 

4. The method as claimed in one of claims 1 to 3, 
characterized in that the contents of the access status 
memory (ZSE1) are overwritten by the inputting of an 
information item (SI, WI, FI) into the access status 
memory (ZSE1) . 

5. The method as claimed in one of claims 1 to 4, 
characterized in that the blocking information item 
(SI), the task change information item (WI) and the 
enable information item (FI) are formed by at least one 
single-bit information item. 

6. The method as claimed in one of claims 1 to 5, 
characterized in that a variable is represented either 
by a variable of a software module which is stored in a 
memory unit or by a hardware-related setting 
information item which is stored in a hardware 
register . 
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Abstract 

Method for secure access to at least one variable in a 
preemptively multitasking-controlled processor system 

A blocking information item (SI) is input into an 
access status memory (ZSE1) by the accessing task (Tl) 
before a current access to at least one variable. 
Furthermore, when there is a task change intended by a 
task scheduler (BST) during the secured, current access 
a task change information item (WI) is input into the 
access status memory (ZSE1) using the task scheduler 
(BST) . At the end of the current access, a release 
information item (FI) is input into the access status 
memory (ZSE1) and the delayed task change (TWA) is 
initiated by the currently accessing task (Tl) when a 
task change information item (WI) has been input. 



Figure 
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